[kwlug-disc] TrueCrypt Safer Than Previously Thought
Paul Nijjar
paul_nijjar at yahoo.ca
Sun Nov 22 03:01:00 EST 2015
On Sun, Nov 22, 2015 at 06:31:15AM +0000, B.S. wrote:
>
>
> My desktops at home are all overnight backup sources/receivers - I
> need them to completely self-boot after a power failure without
> manual intervention. Thus I have never encrypted the disks - for
> needing manual intervention to complete booting. If such manual
> intervention is not needed, a heads up would be appreciated.
> [Leaving a USB key in the system to facilitate self-booting feels no
> better than not encrypting at all to me. Again, if I'm mistaken,
> please note a heads up.]
This does not apply to Truecrypt/Veracrypt encrypted partitions, but
for LUKS encrypted partitions you can use mandos:
https://wiki.recompile.se/wiki/Mandos
The idea is that there is a server on your network that hands out
encryption keys to clients. If somebody steals a client then it will
presumably not have access to the Mandos server, so it will be
locked. If somebody steals BOTH the Mandos server and the client, then
you might be in trouble (but see the documentation for ways around
this). It's a clever idea because the client can reboot without a
password while it is on your LAN, and will require a password outside
of it.
I was using this for a while. It was not foolproof at the time, and
now I generally do not have enough encrypted Linux servers on the same
network to make it worthwhile. But I might try it again sometime.
- Paul
More information about the kwlug-disc
mailing list